Create an Azure App Registration for Disk Encryption

Enabling Azure Disk Encryption requires the creation of a dedicated account to be able to access a Key Vault for the backup of disk encryption keys. This occurs through enabling an Application Registration in the desired tenant and providing the associated Service Principal Key Wrap and Secret Set rights to the Key Vault in question.

This PowerShell script snippet will create the Client ID and Client secret needed to deploy disk encryption. The used of these elements is highlighted from a Disk Encryption template below.

The created Service Principal needs to be added to the targeted key vault with Wrap Key and Set Secret permissions.

The vault also needs to be enabled with access for the Azure provisioning service to retrieve Disk Encryption keys for machines in case of key loss.

Example Script

This script uses the password generation function created and shared by Simon Wåhlin

Also note the domain name at the bottom of the script is set to laurierhodes.info. This should be set to your own domain.

#Login-AzureRmAccountcls$aadAppName="ar-dev-diskencryption"<#########################
Functions
###########################>function New-SWRandomPassword {<#
.Synopsis
Generates one or more complex passwords designed to fulfill the requirements for Active Directory
.DESCRIPTION
Generates one or more complex passwords designed to fulfill the requirements for Active Directory
.EXAMPLE
New-SWRandomPassword
C&3SX6Kn
Will generate one password with a length between 8 and 12 chars.
.EXAMPLE
New-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 12 -Count 4
7d&5cnaB
!Bh776T"Fw
9"C"RxKcY
%mtM7#9LQ9h
Will generate four passwords, each with a length of between 8 and 12 chars.
.EXAMPLE
New-SWRandomPassword -InputStrings abc, ABC, 123 -PasswordLength 4
3ABa
Generates a password with a length of 4 containing atleast one char from each InputString
.EXAMPLE
New-SWRandomPassword -InputStrings abc, ABC, 123 -PasswordLength 4 -FirstChar abcdefghijkmnpqrstuvwxyzABCEFGHJKLMNPQRSTUVWXYZ
3ABa
Generates a password with a length of 4 containing atleast one char from each InputString that will start with a letter from
the string specified with the parameter FirstChar
.OUTPUTS
[String]
.NOTES
Written by Simon Wåhlin, blog.simonw.se
I take no responsibility for any issues caused by this script.
.FUNCTIONALITY
Generates random passwords
.LINK
http://blog.simonw.se/powershell-generating-random-password-for-active-directory/
#>[CmdletBinding(DefaultParameterSetName='FixedLength',ConfirmImpact='None')][OutputType([String])]Param(# Specifies minimum password length[Parameter(Mandatory=$false,
ParameterSetName='RandomLength')][ValidateScript({$_-gt0})][Alias('Min')][int]$MinPasswordLength=8,# Specifies maximum password length[Parameter(Mandatory=$false,
ParameterSetName='RandomLength')][ValidateScript({if($_-ge$MinPasswordLength){$true}else{Throw'Max value cannot be lesser than min value.'}})][Alias('Max')][int]$MaxPasswordLength=12,# Specifies a fixed password length[Parameter(Mandatory=$false,
ParameterSetName='FixedLength')][ValidateRange(1,2147483647)][int]$PasswordLength=8,# Specifies an array of strings containing charactergroups from which the password will be generated.# At least one char from each group (string) will be used.[String[]]$InputStrings=@('abcdefghijkmnpqrstuvwxyz','ABCEFGHJKLMNPQRSTUVWXYZ','23456789','#%'),# Specifies a string containing a character group from which the first character in the password will be generated.# Useful for systems which requires first char in password to be alphabetic.[String]$FirstChar,# Specifies number of passwords to generate.[ValidateRange(1,2147483647)][int]$Count=1)
Begin {Function Get-Seed{# Generate a seed for randomization$RandomBytes=New-Object-TypeName'System.Byte[]'4$Random=New-Object-TypeName'System.Security.Cryptography.RNGCryptoServiceProvider'$Random.GetBytes($RandomBytes)[BitConverter]::ToUInt32($RandomBytes,0)}}
Process {For($iteration=1;$iteration -le$Count; $iteration++){$Password=@{}# Create char arrays containing groups of possible chars[char[][]]$CharGroups=$InputStrings# Create char array containing all chars$AllChars=$CharGroups|ForEach-Object{[Char[]]$_}# Set password lengthif($PSCmdlet.ParameterSetName -eq'RandomLength'){if($MinPasswordLength-eq$MaxPasswordLength){# If password length is set, use set length$PasswordLength=$MinPasswordLength}else{# Otherwise randomize password length$PasswordLength=((Get-Seed)%($MaxPasswordLength+1-$MinPasswordLength))+$MinPasswordLength}}# If FirstChar is defined, randomize first char in password from that string.if($PSBoundParameters.ContainsKey('FirstChar')){$Password.Add(0,$FirstChar[((Get-Seed)%$FirstChar.Length)])}# Randomize one char from each groupForeach($Groupin$CharGroups){if($Password.Count -lt$PasswordLength){$Index= Get-Seed
While($Password.ContainsKey($Index)){$Index= Get-Seed
}$Password.Add($Index,$Group[((Get-Seed)%$Group.Count)])}}# Fill out with chars from $AllCharsfor($i=$Password.Count;$i -lt$PasswordLength;$i++){$Index= Get-Seed
While($Password.ContainsKey($Index)){$Index= Get-Seed
}$Password.Add($Index,$AllChars[((Get-Seed)%$AllChars.Count)])}Write-Output-InputObject $(-join ($Password.GetEnumerator()|Sort-Object-Property Name |Select-Object-ExpandProperty Value))}}}<#########################
Azure Script
###########################>$aadClientSecret= New-SWRandomPassword -MinPasswordLength 25-MaxPasswordLength 30-Count1#$aadClientSecret = ConvertTo-SecureString -String $aadClientSecret -AsPlainText -Force$startDate=[System.DateTime]::Now
$endDate=$startDate.AddYears(5)
try {$azureAdApplication= New-AzureRmADApplication -DisplayName$aadAppName `
-HomePage "https://$($aadAppName).laurierhodes.info"-IdentifierUris "https://$($aadAppName).laurierhodes.info"-Password (ConvertTo-SecureString-String$aadClientSecret-AsPlainText-Force)-EndDate $endDate$servicePrincipal=""$servicePrincipal= New-AzureRmADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId
write-output"-----------------"write-output"ServicePrincipal = $($servicePrincipal.DisplayName)"write-output"ServicePrincipalID = $($servicePrincipal.ApplicationId)"write-output"Client Secret = $($aadClientSecret)"}
catch{throw"Fatal Error $($error[0])"}